Chuck's Blog

Just today I recalled that I was going to commit myself to posting an analysis of the spam I received each month. That was waaay back around March, so I’ve decided maybe I shouldn’t commit to that sort of time frame. What made me take so long? Well..

This is my personal account’s spam box you see here. While this isn’t really that much spam, it is still a lot to analyze. And this account doesn’t get spammed nearly as much as my website related ones.

So, instead of analyzing spam from my mailbox today, I’ve decided to post a small analysis of some of the denied mail in my mail server logs. This is much easier to do.

Sep 20 09:15:03 wine postfix/smtpd[7384]: NOQUEUE: reject: RCPT from unknown[219
.85.166.*]: 554 5.7.1 Service unavailable; Client host [219.85.166.*] blocke
d using zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=219.85.166.*; fr
om=<joe_***@gmail.com> to=<vbibi***@gmail.com> proto=SMTP helo=<209.40.199.*>

Sep 20 09:45:25 wine postfix/smtpd[7422]: NOQUEUE: reject: RCPT from 118-169-213
-*.dynamic.hinet.net[118.169.213.*]: 554 5.7.1 Service unavailable; Client h
ost [118.169.213.*] blocked using zen.spamhaus.org; http://www.spamhaus.org/qu
ery/bl?ip=118.169.213.*; from=<frances-****@gmail.com> to=<vbibio**@gmail.com>
 proto=SMTP helo=<209.40.199.*>

Sep 20 10:13:34 wine postfix/smtpd[7467]: NOQUEUE: reject: RCPT from 123-204-136
-*.adsl.dynamic.seed.net.tw[123.204.136.*]: 554 5.7.1 Service unavailable; C
lient host [123.204.136.*] blocked using zen.spamhaus.org; http://www.spamhaus
.org/query/bl?ip=123.204.136.*; from=<baby***@gmail.com> to=<vbibi***@gmail.co
m> proto=SMTP helo=<209.40.199.*>

Sep 20 12:56:52 wine postfix/smtpd[11310]: NOQUEUE: reject: RCPT from unknown[21
9.85.3.*]: 554 5.7.1 Service unavailable; Client host [219.85.3.*] blocked usi
ng zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=219.85.3.*; from=<all9
***@gmail.com> to=<vbibi***@gmail.com> proto=SMTP helo=<209.40.199.*>

As you may have noticed, all the logs here state this particular spammer was always using the same helo line, which is

209.40.199.*

Thus it would be beneficial for me to add this to my helo deny list. Even though I’ve blanked out the last few digits, it is still the same IP each and every time. The next thing I’ve noticed is the constant attempts to send to this email

vbibi***@gmail.com

Which I assume is either a really unfortunate victim, or an email used to check if a specific server is open. Yet again, this is the same address for each of the log lines, even with the last few bits of it are blanked out.

Nowadays many WiFi hotspots are blocking or filtering port 25 traffic, leaving most email users with a problem: How do I send my mail?

If your lucky enough to be running your own postfix server that already is set up for SASL authentication, than give this a shot by adding it to your postfix master.cf file (Usually /etc/postfix/master.cf)

submission inet n       -       -       -       -       smtpd
 -o smtpd_enforce_tls=yes
 -o smtpd_sasl_auth_enable=yes
 -o smtpd_client_restrictions=permit_sasl_authenticated,reject
 -o cleanup_service_name=sasl_cleanup

sasl_cleanup   unix  n       -       n       -       0       cleanup
 -o header_checks=regexp:/etc/postfix/sub_header

You will also need to create a /etc/postfix/sub_header file with the following contents

/^Received: / IGNORE

This sub_header file will remove the Received: header from your email, thus preventing other email servers from rejecting your mail due to the dynamic IP address from the hotspot.

Now all you need to to is set up your email client to use port 587 (submission) when connecting to your mail server. You also need to enable TLS authentication, since the submission port only allows encrypted connections. (You can change this by removing the smtpd_enforce_tls line, but that opens your passwords up to sniffing)

There are other ways to avoid the port 25 block of course, one of them namely being using ssh as a proxy for your connection.

Amavis is known to be a huge memory hog, and those of us leasing sub-30$ VPS servers just can’t afford it. Even as small as 10MB’s of RAM can have a huge impact on performance.

So in order to run with the least impact on memory I decided to drop amavis. The problem with this: I couldn’t find any howto’s that described how to run spamassassin and clamav with postfix WITHOUT amavis. So with a little of trial and error I figured it out on my own.

First you need to make sure spamd and clamd are already running, and that spamc is installed. There are plenty of howto’s on the ‘net to do this, so I won’t go into detail there. So to start off add the following lines to the end of your /etc/postfix/master.cf file

spamassassin unix - n   n   -   -   pipe
    user=vmail argv=/usr/bin/spamc -f -e
    /usr/sbin/sendmail -oi -f ${sender} ${recipient}

# AV scan filter (used by content_filter)
scan      unix  -       -       n       -       16      smtp
        -o smtp_send_xforward_command=yes

# For injecting mail back into postfix from the filter
127.0.0.1:10026 inet  n -       n       -       16      smtpd
        -o content_filter=spamassassin
        -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
        -o smtpd_helo_restrictions=
        -o smtpd_client_restrictions=
        -o smtpd_sender_restrictions=
        -o smtpd_recipient_restrictions=permit_mynetworks,reject
        -o mynetworks_style=host
        -o smtpd_authorized_xforward_hosts=127.0.0.0/8

(Remove/change user=vmail if you don’t use/use virtual mailboxes)

And in the same file look for the below line (Hint: It’s usually near the top)

smtp      inet  n       -       -       -       -       smtpd

And add the following line underneath it

-o content_filter=scan:127.0.0.1:10025

Now you need to install clamsmtp, a small program that will handle connections to clamd for us

apt-get install clamsmtp

In /etc/clamsmtp.conf change OutAddress and Listen to read

OutAddress: 10026
Listen: 127.0.0.1:10025

While your at it, check all the other parameters to make sure clamsmtp can connect to clamd. You may also be interested in changing the header added to scanned mail so you know which server scanned it.

After all of this is done restart the daemons

/etc/init.d/postfix restart
/etc/init.d/clamsmtp restart

And send yourself test mail. If it fails to work go back and make sure you followed the instructions properly, else congrats! You now have a great spamfiltering setup without amavis! You may now want to look at some basic SMTP-level scanning with RBL’s just to minimise load on your server caused by spamassassin and clamav.

Quick little how-to for setting up a simple postfix mail server to send outgoing emails on a Debian etch server. Really useful to have running on web server to provide for services like WordPress and SMF.

First we start off with a fairly blank VM. We’ll assume the domain your server is running on is
example.com

You want to start by upgrading all your currently installed packages.

apt-get update && apt-get -y upgrade

Then you want to install the basic postfix package

apt-get install postfix

And after downloading the package debconf will ask you a few questions

Type of server -> Internet site
Mailname -> example.com
Other destinations to accept mail for -> example.com, localhost,
  localhost.example.com

Now open up /etc/postfix/main.cf in your favourite editor and add the following to the bottom of it

smtpd_recipient_restrictions =
   permit_mynetworks,
   reject_invalid_hostname,
   reject_non_fqdn_sender,
   reject_non_fqdn_recipient,
   reject_unknown_sender_domain,
   reject_unknown_recipient_domain,
   reject_unauth_destination

These lines should prevent your server from being an open relay, and also permit any IP address listed in your mynetworks to relay through your server.

And thats it for my quick how-to on getting a simple postfix server setup for outgoing mail. The server is also ready, with a little modification, to receive mail.

Alright, I’ve decided to around the middle of every month to post quickly on the current email spam trends I am noticing, so that I can compare them and figure out the best way to filter them.

So this months trend is: Invoices & Sales receipts pointing to wonderful “Canadian” pharmacy domains

An excerpt from one of the many messages I have received so far:

To unsubscribe from this mailing list, please log in to <removed>,
 click on "My Account", click "Update" to edit your registration details
and uncheck the "Receive Newsletter?" check box.
Or unsubscribe at <removed>

The most notable thing about the spam this month is the subject lines of things like “iTunes Invoice #123456″ and “Sales order from walmart.com” which is significantly annoying for those of us who do actually receive iTunes invoices from Apple.

Fortunately this spam is easily blocked with simple text analysis, so its no biggy. Its definitely better than this time last year where messages were placed inside an image and required an OCR filter to effectivly remove them from your inbox with a low false positive rate.

And if you have more gullibe users on your system your going to have to try to restrict them from attempting to unsubscribe from the spam. Unless of course you don’t mind an overloaded server and complaining users.